This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

We have an apparent problem in that some requests to our IIS server do not have cookies. We actually have an ISAPI filter that is reporting the problem but we would like an independent verification: (a) how do we set up a filter in Wireshark that shows the http requests that do NOT have cookies [ignoring those that do]. (b) how to we set up a filter that shows HTTP traffic with cookies that exceed a certain size

Thanks

asked 31 Jan '11, 16:02

Julian%20Dohmen's gravatar image

Julian Dohmen
1111
accept rate: 0%


(a) http.request.method and not http.cookie

(b) not sure how to do this, there doesn't seem to be a good way to filter for this, but maybe somebody else has a good idea

permanent link

answered 31 Jan '11, 16:45

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%

edited 31 Jan '11, 17:07

Thanks! I am pretty new to Wireshark - I see that the filter above is a Display Filter which I am trying out [and I did use the word show of course] but is there a capture filter that would only allow cookie-less http requests through? Thanks

(01 Feb '11, 06:28) Julian Dohmen

I'm not sure if this is possible, maybe through some very advanced offset matching filters, but that is beyond my experience as I rarely use capture filters at all (and when I do I usually filter on nothing more than MAC or IP addresses). Maybe somebody else has a solution for you.

(01 Feb '11, 06:49) Jasper ♦♦

Thanks - we can probably use your display filter as the main thing is to see items without cookies.

(01 Feb '11, 11:29) Julian Dohmen

Capture HTTP GET requests:
port 80 and tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x47455420

You can find this and other capture filter examples in the Wireshark Wiki.

permanent link

answered 01 Feb '11, 21:13

joke's gravatar image

joke
1.3k4934
accept rate: 9%

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×293
×9
×1

question asked: 31 Jan '11, 16:02

question was seen: 4,894 times

last updated: 01 Feb '11, 21:13

p​o​w​e​r​e​d by O​S​Q​A